Security Basics mailing list archives

Re: Some rare log entry on our wiki server

From: Andrew Smith <stfunub () gmail com>
Date: Thu, 3 Feb 2005 20:53:43 +0000

This is an attempt to exploit the WEBDAV vulnerability in ISS servers.
Nothing to worry about, it will be fully patched but the worms are
still out and about. I get about 100 of these a day on my I.P range
(local isp).


On Thu, 3 Feb 2005 00:37:56 +0100, Joachim Schipper
<j.schipper () math uu nl> wrote:

On Wed, Feb 02, 2005 at 09:49:10AM +0100, Pere Urbon Bayes wrote:

I have one LAMP wiki server, and today I found one rare log entry. I was
looking for it on google, but he didn't give me any answer!! :<. Any one
of you have any idea about it? I'll been very thankful.

My log entry was:

GET /SEARCH%20/%5Cx90%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%5Cxc9%
5Cxc9%5Cxc9%5C

It's very long, but i didn't post it all.

Thanks


It's a buffer overflow attempt, someone trying to crack open your web
server. It probably failed, or you wouldn't be seeing this entry!

You can try to look up the specific shellcode used (and logged, above)
on the web, though I'd recommend going for the last part - this is
probably just a NOOP sled, while the actual code is at the end.

However, I wouldn't worry too much about it. I see such an attempt every
couple of days. If you are security conscious, put Apache in a chroot()
jail and add mod_security.

                Joachim



-- 
zxy_rbt2

Current thread:

Some rare log entry on our wiki server Pere Urbon Bayes (Feb 02)
- Re: Some rare log entry on our wiki server Joachim Schipper (Feb 03)
  - Re: Some rare log entry on our wiki server Andrew Smith (Feb 04)
- Re: Some rare log entry on our wiki server hackman (Feb 07)